diff --git a/debian/changelog b/debian/changelog
index faeb8c174..85d3eeb31 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,10 @@
-linux (4.19.2-1~exp1) UNRELEASED; urgency=medium
+linux (4.19.3-1~exp1) UNRELEASED; urgency=medium
 
   * New upstream release: https://kernelnewbies.org/Linux_4.19
   * New upstream stable update:
     https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.1
     https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.2
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.3
 
   [ Ben Hutchings ]
   * linux-perf: Enable verbose output for build-time feature detection
diff --git a/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch b/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
index e9ede65b8..2bd2ce1d3 100644
--- a/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
+++ b/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
@@ -18,6 +18,7 @@ Signed-off-by: Linn Crosetto <linn@hpe.com>
  - Pass result of efi_get_secureboot() in stub through to
    efi_set_secure_boot() in main kernel
  - Use lockdown API and naming]
+[bwh: Forward-ported to 4.19.3: adjust context in update_fdt()]
 ---
  arch/arm64/Kconfig                      | 13 +++++++++++++
  drivers/firmware/efi/arm-init.c         |  7 +++++++
@@ -50,7 +51,7 @@ Signed-off-by: Linn Crosetto <linn@hpe.com>
  		return;
 --- a/drivers/firmware/efi/efi.c
 +++ b/drivers/firmware/efi/efi.c
-@@ -635,7 +635,8 @@ static __initdata struct params fdt_para
+@@ -657,7 +657,8 @@ static __initdata struct params fdt_para
  	UEFI_PARAM("MemMap Address", "linux,uefi-mmap-start", mmap),
  	UEFI_PARAM("MemMap Size", "linux,uefi-mmap-size", mmap_size),
  	UEFI_PARAM("MemMap Desc. Size", "linux,uefi-mmap-desc-size", desc_size),
@@ -62,23 +63,22 @@ Signed-off-by: Linn Crosetto <linn@hpe.com>
  static __initdata struct params xen_fdt_params[] = {
 --- a/drivers/firmware/efi/libstub/fdt.c
 +++ b/drivers/firmware/efi/libstub/fdt.c
-@@ -158,6 +158,13 @@ static efi_status_t update_fdt(efi_syste
- 			return efi_status;
+@@ -159,6 +159,12 @@ static efi_status_t update_fdt(efi_syste
  		}
  	}
-+
+ 
 +	fdt_val32 = cpu_to_fdt32(efi_get_secureboot(sys_table));
 +	status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
 +			     &fdt_val32, sizeof(fdt_val32));
 +	if (status)
 +		goto fdt_set_fail;
 +
- 	return EFI_SUCCESS;
+ 	/* shrink the FDT back to its minimum size */
+ 	fdt_pack(fdt);
  
- fdt_set_fail:
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -749,6 +749,7 @@ struct efi_fdt_params {
+@@ -786,6 +786,7 @@ struct efi_fdt_params {
  	u32 mmap_size;
  	u32 desc_size;
  	u32 desc_ver;